Trustworthy Device Claims as a Service

1. A method for use in a system comprising a network application and a client device, the method comprising acts of: receiving, by a device state token service that has a trust relationship with the network application, a notification from the network application, the notification indicating that the client device attempts to access the network application; providing, by the device state token service, a request for information to the client device in response to receiving the notification; receiving, by the device state token service, information from the client device describing a characteristic and/or state of the client device in response to the request, the device state token service also having a pre-existing trust relationship with the client device, the pre-existing trust relationship indicating that the client device trusts the device state token service to issue device claims to the client device; processing the information to generate first device claims, which describe at least one of one or more characteristics of the client device or a state of the client device, to be issued to the client device; and issuing the first device claims to the client device.

2. The method of claim 1 , wherein the receiving the notification is in response to the client device being redirected to the device state token service, after a request by the client device to access the network application.

3. The method of claim 1 , wherein the providing the request comprises: providing, by the device state token service, a policy and/or script usable by the client device to collect the information; and wherein the receiving the information comprises: receiving a result generated via execution of the policy and/or script, the result comprising information generated by a trusted platform module (TPM) component on the client device.

4. The method of claim 1 , further comprising: establishing a binding between the generated first device claims and the client device.

5. The method of claim 1 , further comprising, prior to receiving the information, the device state token service responding to a request issued by the client device to authenticate the device state token service.

6. At least one computer-readable storage device having instructions encoded thereon which, when executed by a client device in a system comprising the client device and a network application, perform a process comprising: requesting access to the network application; receiving an indication of a plurality of device state token services trusted by the network application to issue device claims; selecting, from among the plurality of device state token services, a device state token service with which the client device has a pre-existing trust relationship, the pre-existing trust relationship indicating that the client device trusts the device state token service to issue device claims to the client device; communicating a request to the device state token service to issue device claims describing a characteristic and/or state of the client device; receiving a request for information from the device state token service in response to communicating the request to the device state token service; and providing information to the device state token service describing at least one of one or more characteristics of the client device or a state of the client device in response to receiving the request for information.

7. The at least one computer-readable storage device of claim 6 , wherein selecting the device state token service comprises selecting, from among the plurality of device state token services, the device state token service based on the device state token service satisfying predetermined criteria.

8. The at least one computer-readable storage device of claim 6 , further comprising, prior to requesting access to the network application: receiving a response to a request, which is issued by the client device to authenticate at least one of the plurality of device state token services, from the at least one of the plurality of device state token services.

9. The at least one computer-readable storage device of claim 6 , further comprising, in response to providing the information to the device state token service, receiving issued device claims; and employing the issued device claims in connection with a request to access the network application.

10. The at least one computer-readable storage device of claim 9 , wherein receiving issued device claims comprises: receiving issued device claims that include a binding between the issued device claims and the client device.

11. The at least one computer-readable storage device of claim 6 , wherein receiving the request for information comprises: receiving a script from the device state token service in response to communicating the request to the device state token service; and wherein the process further comprises: executing the script to collect the information describing the at least one of the one or more characteristics of the client device or the state of the client device.

12. The at least one computer-readable storage device of claim 6 , wherein selecting the device state token service comprises selecting, from among the plurality of device state token services, the device state token service with which the client device has a pre-existing trust relationship based on the client device having the pre-existing trust relationship with the device state token service.

13. A system, comprising: one or more processor circuits; and storage coupled to the one or more processor circuits via an interconnection mechanism, the storage configured to store instructions that are executable by the one or more processor circuits, the one or more processor circuits configured to execute the instructions to perform operations comprising: provide a notification to a device state token service by a network application or an intermediary interposed between a client device and the network application in response to the client device attempting to access the network application, the notification indicating that at least one device claim is to be provided to the client device; receive from the client device one or more device claims in response to the notification being provided to the device state token service, the one or more device claims describing at least one of a characteristic of the client device or a state of the client device; determine that the one or more device claims are effective and authentic, and that the one or more device claims were issued to the client device by the device state token service with which the client device has a pre-existing trust relationship, the pre-existing trust relationship indicating that the client device trusts the device state token service to issue the one or more device claims to the client device; when it is determined that the one or more device claims are effective and authentic, evaluate the one or more device claims to determine whether access to a network application should be granted to the client device; and when it is determined that access should be granted, grant the client device access to the network application.

14. The system of claim 13 , wherein the network application is configured to include at least one of the one or more processor circuits.

15. The system of claim 13 , wherein the intermediary is configured to include at least one of the one or more processor circuits.

16. The system of claim 13 , wherein at least one of the one or more processor circuits is configured to execute instructions to determine that the device claims have not expired to determine that the one or more device claims are effective and authentic.

17. The system of claim 13 , wherein at least one of the one or more processor circuits is configured to execute instructions to determine that the device claims have not been revoked to determine that the one or more device claims are effective and authentic.

18. The system of claim 17 , wherein at least one of the one or more processor circuits is configured to execute instructions to determine that an identity of the client device has not been revoked to determine that the one or more device claims are effective and authentic.

19. The system of claim 17 , wherein at least one of the one or more processor circuits is configured to execute instructions to query the device state token service to determine that the one or more device claims are effective and authentic.

20. The system of claim 13 , wherein at least one of the one or more processor circuits is configured to execute instructions to, when it is determined that access should not be granted, instruct the client device on steps to take for access to be granted by providing information to the client device relating to remediating a deficiency in the device claims causing it to be determined that access should not be granted.